1347926 – CVE-2015-5723 php-doctrine-orm filesystem permission issues

Bug 1347926 - CVE-2015-5723 php-doctrine-orm filesystem permission issues

Summary: CVE-2015-5723 php-doctrine-orm filesystem permission issues

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	php-doctrine-orm
Sub Component:
Version:	el6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Shawn Iwinski
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-18 13:41 UTC by David Eisenstein
Modified:	2016-08-08 21:48 UTC (History)
CC List:	3 users (show)
Fixed In Version:	php-doctrine-orm-2.4.8-1.el6
Clone Of:	1347924
Environment:
Last Closed:	2016-08-08 21:48:50 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description David Eisenstein 2016-06-18 13:41:27 UTC

+++ This bug was initially created as a clone of Bug #1347924 +++

Description of problem:
Doctrine ORM before 2.4.8 or 2.5.x before 2.5.1 uses world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.

Version-Release number of selected component (if applicable):
php-doctrine-orm-2.4.7-1.el6

See:  http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html

Comment 1 Fedora Update System 2016-07-09 18:53:01 UTC

php-doctrine-orm-2.4.8-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9776e6629a

Comment 2 Fedora Update System 2016-07-09 18:53:06 UTC

php-doctrine-orm-2.4.8-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f0c8b7b115

Comment 3 Fedora Update System 2016-07-09 18:53:10 UTC

php-doctrine-orm-2.4.8-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7e229134f9

Comment 4 Fedora Update System 2016-07-09 18:53:13 UTC

php-doctrine-orm-2.4.8-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-d85f5db77a

Comment 5 Shawn Iwinski 2016-07-09 18:56:31 UTC

Updates submitted for F22+ and EPEL7.  I need to update some other packages in order to push this update to EPEL6.  This bug will remain open until the update hits EPEL6 stable.

Comment 6 Fedora Update System 2016-07-12 02:54:21 UTC

php-doctrine-orm-2.4.8-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-d85f5db77a

Comment 7 Fedora Update System 2016-07-12 03:27:27 UTC

php-doctrine-orm-2.4.8-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9776e6629a

Comment 8 Fedora Update System 2016-07-12 03:56:10 UTC

php-doctrine-orm-2.4.8-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7e229134f9

Comment 9 Fedora Update System 2016-07-12 03:59:38 UTC

php-doctrine-orm-2.4.8-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f0c8b7b115

Comment 10 Fedora Update System 2016-07-19 22:22:55 UTC

php-doctrine-orm-2.4.8-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2016-07-20 00:24:37 UTC

php-doctrine-orm-2.4.8-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2016-07-22 21:38:50 UTC

php-doctrine-orm-2.4.8-1.el6 php-doctrine-dbal-2.4.5-1.el6 php-doctrine-common-2.4.3-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-823164477b

Comment 13 Fedora Update System 2016-07-23 21:18:36 UTC

php-doctrine-common-2.4.3-2.el6, php-doctrine-dbal-2.4.5-1.el6, php-doctrine-orm-2.4.8-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-823164477b

Comment 14 Fedora Update System 2016-07-27 19:17:22 UTC

php-doctrine-orm-2.4.8-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2016-08-08 21:48:45 UTC

php-doctrine-common-2.4.3-2.el6, php-doctrine-dbal-2.4.5-1.el6, php-doctrine-orm-2.4.8-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.